Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

Oracle Patches 169 Vulnerabilities in January Update

Oracle fixes security flaws across its software portfolio, including ones in its database, e-business suite, Solaris and Java.

Oracle released its first Critical Patch Update (CPU) for 2015 on Jan. 20, providing its customers with patches for 169 security vulnerabilities.

Thirty-six of the fixed flaws are in Oracle's Fusion Middleware products, with Oracle noting that 28 of the flaws may be remotely exploitable without authentication, meaning that an attacker could exploit the issues without the use of a username and password.

The Oracle Sun Systems product suite is being patched for 29 security issues, with 10 of those issues identified as being remotely exploitable without authentication. The Sun Systems product suite includes the Solaris Unix operating system that Oracle gained by way of its 2010 acquisition of Sun Microsystems.

Oracle also gained the Java platform through the Sun acquisition, which is also being patched in the January CPU. In total, 19 security Java vulnerabilities were patched, 14 of which are remotely exploitable without authentication. Four of the Java vulnerabilities are rated by Oracle as having the highest possible CVSS (Common Vulnerability Scoring System) score of 10.0.

Further reading

"While this is a relatively low number of critical vulnerabilities in Java, it demonstrates that Java security issues are far from being over," Barry Shteiman, director of security strategy at Imperva, told eWEEK. "Companies and products that rely on Java as a core platform should take proper security measures to ensure that it is used securely."

In a blog post, Eric Maurice, director of Oracle Software Security Assurance, also commented on the improving state of Java security at Oracle.

In addition to patching vulnerabilities in Java itself, with the new update Oracle is now also protecting its Java users from the POODLE Secure Sockets Layer (SSL) vulnerability. POODLE was first disclosed by Google in October 2014 as a flaw in the legacy SSLv3.0 protocol for encrypting Web traffic. Oracle is now disabling SSLv3.0 as of the January CPU.

Security researcher David Litchfield reported six of the 169 fixed vulnerabilities, including a particularly dangerous backdoor flaw in the Oracle eBusiness suite. The flaw is identified as CVE-2015-0393 and was first reported by Litchfield on June 11, 2014.

"In certain versions of eBusiness suite, the PUBLIC role is granted the INDEX privilege on the DUAL table owned by SYS allowing anyone to create an index on this table," Litchfield explained in his advisory. "Anyone with a vulnerable eBusiness suite web server connected to the internet is potentially exposed to this as it is possible to chain multiple vulnerabilities to exploit this without a username and password."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.